cybergate | d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Size

284KB
MD5

c716367a1771cb09ada30f56d3ca54cd
SHA1

3bb7123c13b84ff81d20101fd755efcc705f3a89
SHA256

d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622
SHA512

a876447d41ba27c4103a86a4858af3604d5ad52310cf4229bbf921c84188e827f61183cb94d99f5e5d206995702a1e97a87beebe31a452432ad464ae1b1e3386
SSDEEP

6144:Bk4qmkG62H1fy75z2ipU8yiUR7NT+OUJR96t/lPC9Q+iha:W9N5KWKR50Jr6/yQDM

Score

10^/10

cybergate victima discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

victima

curuza.no-ip.org:8560

Mutex

***MUTEX***

Attributes

enable_keylogger
false
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
install
install_file
windows.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
El ejecutable no es compatible con su sistema operativo.
message_box_title
Error 0x0125698
password
1234
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4492 created 3120	4492	WerFault.exe	89

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:/windows\\install\\windows.exe"	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "c:/windows\\install\\windows.exe"	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3R5QGF5X-N800-425Y-M123-R5SO1J8B5T81}	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3R5QGF5X-N800-425Y-M123-R5SO1J8B5T81}\StubPath = "c:/windows\\install\\windows.exe Restart"	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{3R5QGF5X-N800-425Y-M123-R5SO1J8B5T81}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3R5QGF5X-N800-425Y-M123-R5SO1J8B5T81}\StubPath = "c:/windows\\install\\windows.exe"	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
4436	windows.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "c:/windows\\install\\windows.exe"	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "c:/windows\\install\\windows.exe"	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1180-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1180-4-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/1180-22-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1180-65-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1768-70-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1768-69-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-72.dat	upx
behavioral2/memory/1180-136-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2188-137-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/1768-561-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/4436-584-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2188-589-0x00000000240F0000-0x0000000024152000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\install\windows.exe	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
File opened for modification	\??\c:\windows\install\windows.exe	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3120	4436	WerFault.exe	85
264	3120	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
3120	WerFault.exe
3120	WerFault.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe
2188	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	explorer.exe
Token: SeDebugPrivilege	2188	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56
PID 1180 wrote to memory of 3432	1180	d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe	56

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:608
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:776
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:3004
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3724
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3816
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3880
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3968
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4020
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4884
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3944
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1488
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:5072
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:632
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3416
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:1820
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:772
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:2420
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:1920
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:3148
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:3032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1440
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1532

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2168

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2668

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3312

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe
  "C:\Users\Admin\AppData\Local\Temp\d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:1768
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
  - - C:\Windows\install\windows.exe
      "C:\Windows\install\windows.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 564
        5⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        
        PID:3120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 776
        6⤵
        Program crash
        
        PID:264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3496

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:5068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4436 -ip 4436
  2⤵
  PID:3900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3120 -ip 3120
  2⤵
  PID:4820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3120 -ip 3120
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4492

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 2be5b09653ea893c531e545725c87598 fTa8A/yuY0G6PC+bWGJY2w.0.1.0.0.0
1⤵
PID:4332
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4424

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
240KB

MD5
9dced70ec47fb1a48f90bcee992b460f

SHA1
8fc41236995530c620c2c333d7bee0081824b501

SHA256
356e4f6e50b656184fd56b7972625c0f7488f5e5e663943c3aca91366148df84

SHA512
a62d4eeeb78975f1df531f89867745a6cb7d2d79a08b239345a25cbc4dd04d2fbc5897526e0ca145ef7c48535b9ed4de380d3009fa091c2521accf79aa375d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2b1dca28639b7ecef8f8fbde31b47f1d

SHA1
c59449e58af50565acfe12e97601dba74ec1b8ab

SHA256
3d3057205ea9c8a65b4611f85b36370b3fedc154e6c5296f03f0b2b1bb110ff9

SHA512
c7b05d36b6b50e64192b653d4b501cd1c384e394534d5129e62b0bb8409074ab766f250cb99abc0d7a747c90f3870da6cdb1d80add8754df851c5bae224c7a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9f426327b1b3c64aac529632b35554cb

SHA1
5247265f6daec4ae08e0b9fe06f64712f1531909

SHA256
25397c750a408587fab622cb0d64263c4c8a8751a9e0a05cac2dc2afedf780c2

SHA512
207dd7ff6f96f4497201d610b9baf9f3f0188ed5960bb8266dc7dc4c3ee012664bac39ec3d66d7bef8fff3ed5246c080372aa98775e6e1bb5a44b70865c83508

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7a4ad1d0ffebafab83d2c9d022a426b6

SHA1
35b9221e60779fd4eee6073d4658cd2722827674

SHA256
d1bae29e0843cfbab0d6b4cad9bc8f02c0fe1882ee66699160c050042d8cdb74

SHA512
7f31f884d1ca4cb11914169c42ef0c1e156f3c299d5fccfcd94a102327d83832d514de5ba7a3ee952cad03f1ee0c9c21bafcb25b0cb0ba0db78904088287871c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c806c7cae53e951123d1d4bc7437f5ff

SHA1
f4ef1bdf6116521e653ba979d88f92991734e0bd

SHA256
78e868467879196cbbc70a86801d092702c286292f50c157e1c6f04fa9432c7d

SHA512
52116dbaa94b75713f9d4b6de5b1e6d0ac8b12c0690a111c7062355072c5ebc42da792c87e2a28423d5bd773267c0d03def32f25999a4776aa6230f83c4167cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
75706e32c5b79913411a22fc3dd977f3

SHA1
7b84f21e6895ef35a9ca88bb1240667464822b62

SHA256
63ef7281cea6950364ba02f3dda4e2eb7d5f0cf995f0b1105ca9e08c5517d000

SHA512
9d80ca02e72c8b46ec2f164fb8e0ac358e5345f258df5bcc9a5016388306eef0a0ec4d9e8f949b0f9aa0f3db88ab6933478f917d6d5c456ec94b4998b950ac95

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6c64d524b8dc6ca3e00ffb49492ad4f2

SHA1
12222e3e2b2b342f4d1ce0e3065b9add5f82df0f

SHA256
f40b6de0505400d49d388363aa8b9b5f8bbb09d49fc3bcc2420e3bdeb506290b

SHA512
b1e2e60b085f1157f389a3a1d9d355ac8518f44511f5fcd946ddf98701e12dcefb339cefef774661eae09d46ebad307d11e800aec2099c515b86001019df6d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d8078dd9e78c79520dcc243402db9c69

SHA1
613e09ed1b092fef86aa0c958932573729ce4b04

SHA256
a4807bf25f5387ba8318252b87e42e662b0291d8694b4bdf2bba2880bdb71be4

SHA512
5f8be96962a2a905defc70d5a8aa113124a96a046ebb3e8e044a7da7a23efd34a4704bbcada891a53a091c02b571067010549481490ce679ea13e01d57720fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d778d5aa6fbcf10bd63e3cabf08bbdf9

SHA1
f252fcb30d0e615de8f26d0e7fd66600e129f730

SHA256
1e5edff605ca6e2f2c7f65a81bd70b3104090c7ee8173a019ed5f4e729dfa004

SHA512
d4913f9e0e0cb1b07af28714034485ed7d70ac3036678c36b957ec2853a9ff06d16c5264887645fa2aa777a8bec4e7787fe7d2a6d75fd1648940e127d3d01f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a226d6e29d74ee8ef136073afb2c9306

SHA1
aa31d5b9630a9f4c0fcbcbd5e050ca05ad5e3b2e

SHA256
999036887c9e8af03ad999b393e6fb1406c1d73f260a32d6dcbf32e0de61807d

SHA512
70fff3af10b98190470393af76164e395a16c307e729509215699fe89a3a598656fc8e0726a8617de826c443362a630aa135977b92ab7b73a45953b939974a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fe768c01a7f4c83e48b6e7747d39cc74

SHA1
e3a6b8a320ac5b193763e655a1be6bc74e90c981

SHA256
43f326cdac4dd9e15371977375880f0ecc9cc64df0228df04b263dbc8c1c51ea

SHA512
a2b3198bdde2c28743a211e50824334f5fcaa3424019213cc145df67ac4a30e04bd9239190ed18ff4f50b5d433f7756b31d0cfc3def9adb6e1d35b086f8ce0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
605be17a267a9b0261bd6d9d42f37f94

SHA1
69e7609c8b89d06f0c9b0738f3618df95e63a2e4

SHA256
71803b0ecab312f32f80c929d885f2a2265dd0b0557f333fbe128b5b89605b51

SHA512
24f3a593c14b7fb533f82218450cacc677ae2855faff26ebea631577b4c2d3cb9c5424134b2d9e2ef6f735a86e1401ca0057fe8a00685b8cb7255e34f38bb5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1a68f112350f4939771c3b6028de5812

SHA1
4eefc4179edb9d5863c5ebb3cc16e753d956fd8b

SHA256
1226a8db9bc684c2641f4ee1b3345355845c143c00565d95a30abf7677828408

SHA512
322c187aa2ad19410b6bde709c074b338c12a4dcf1355c24e3e63597606474b30b80298a2910b4088bdfee820982fb6431b32bfd1a3381ac2597d41ceafff633

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c42706ba209fc8eeef36c7ff3dda5111

SHA1
12749dfa4db11ce88b5b580114b22da2534b9e30

SHA256
df9e208cba0277da3209c0f610f28f41bb22b49b8ca0b823ef453f6be7d48d69

SHA512
fc698d92d82470f0fff1f59a58ff42a7a251a7263e4cc5f5924bdfd4d762a2c0997a54dc8736a0de01f6362f49caccd3ef5478ff43e183c445ea32a843583d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9df6042e669e9bd587c778d053f05e69

SHA1
463c518100901c2eedd18d41561fe01080a5ad90

SHA256
72c08c314923f0e243b99de697887d1403b5efdd9162600cfd6690b1f417dd0c

SHA512
97d6d1931e8f4ec6c2806072b78c0a8a10116a4bb94149253fcf638e8384a3d56a89d379c5bb2dcdd039afd63e990c70b2103cfe685d8d5fc13d044f68706a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1cd87a8148a179bd2607b00d3575f360

SHA1
ee7b5f62a74132637b686f21b04ec077fd965364

SHA256
866493aeb0a1987eb7e7849032a69061fcfdb76bb66a1bad3ade586a46f1a3b5

SHA512
3625267225d9ece05851dfb1f0628e589d66c1c9411db82c317ee00a4350843f83b2379e2b2432a06f72006c22fa3c170d1d90bdb6f0c7d443579b8ff68dfd42

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c359310e914420ec56165d9fab7f99c1

SHA1
12bf1b6f7b2f829310110670233dbb7600bf1ed3

SHA256
17b2780e93085ea5fc9f3c89494fe0d39ca601012df85024aeaa3a29fcd8ea70

SHA512
16355a24a788ed7f51d410d46b7c4ab579a36b0c8c5c35b6fcc955a0898594e087db12d4aee62630f70af9d7ceee3afa223963ea159d3f418de57011ee728e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
ebbcc498130b30e91a6c8f9c9abaf274

SHA1
d914e497921ccd1bf5a5487a5999950509d4a09b

SHA256
b8db6e1b3e64e8f739a1f8f4a081b3d910d1a25eb6e1947d016e9c6500c8e9e7

SHA512
fe30959620eff69ad00b379d3a2dc7658ff737eaca22361161c6eaa987d8be161792937cd63f7617a151dad4f4c89372c8c7c43af0e93786bdfc4b2979f4de80

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
be73cdd36715429a37502bdc457102f2

SHA1
6cb38dc80cd7fe30773733b8aa6a3b538747f7a4

SHA256
a4376ae0e69cef82e6e5a04f83928681ae48f5c9dd23e6cad6b1cf5b50098309

SHA512
2d7ac41c58cd011e786780928efefd274c7e12b7fd49e1b6c14a757ad2b558ba917dc7f06f8c1a968a3b94220e5d68483d8644cd1b39cb4a2a884b675b709c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
de8f38d71d204f03c878faff9fe5f891

SHA1
7f5f4e0f8a16d02135dcfe219e29c2c45fcb6676

SHA256
eb62355bae8a98c6528ddbe4a975d0930bd034afe54f5f70fc9468ed18a641ba

SHA512
003c0f5626b79fcd8505b75733cabc56e27792f412ac73d109058a65ad107068b581e98b962b719c2b0b9a3592bc076c2e129f4b719f5a66f5f9fb2fa61b2a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
89b7180f5dbe570935ef6e027ec0607d

SHA1
0de9194411cd298c2d3fff4f31bca10fc332a66e

SHA256
bd30ec5fd10420bf3c99c202a8fdd31f89778ae8da09bb031ce40685ee6d8ef9

SHA512
d641d52012bc74ca069a9e0f7247002a009b721833b5213bf9cd5bb99691c908f4388bca61979521086bdd3f61074b54bba00515e52517224b54e647e1617415

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
53c9133564171bed5aea9c9e5330df96

SHA1
e80ca0298d495c5bea591fff536c66631efbc736

SHA256
583c4d3328fda88511c661ae0c9677d3735800df1bc1ae0d2f1d3a5151bcbab6

SHA512
ca64e168518d9b91ffa6cde60976e99e399c26819e7893bbc023740d6d3e25a22b150db015bdbd0e2eff81c6cd9d26b6a56eb70bb283c764e84305251b51d812

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e4aaaf5f70b86c31629d3b5a022539d3

SHA1
10fc68a4e28223fbc9d6b6fc2a155d981b388fca

SHA256
b19169c91b13c9fdd0f330971413d6b913294ad18f83bc33d3a518b4c756f5d0

SHA512
b9c13577ae8275b97a06c1e067a51c0fc1bd86094c5cfef1130df011f603ca0e0f98f16352d2d4b04334823e5738d2cbfc1187089372db0ce2bcfac9bac51acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
266590755eb4a6e4dec1088500571453

SHA1
617489bb9fc9b8abf822952225c82252774a9e5f

SHA256
140a584a8b4b0ad4a061462ede0993f5c04f42b2bee726f496fb9d4974764a20

SHA512
808bc8aafdc8e5d3801e5c6d9a3baadf7d459008d6d032e9d73a7c04f2ff011e24d24ddfbea6788c3ec18043cd0c88203dbfa4c733a0a488b0e1b079dd173455

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
fab40e60caff79e58ef82995472f3942

SHA1
532a93e4e37adf48245bcc8309480ecd61a4eea0

SHA256
eeee128d2ee8bf2e6f3306d19bb8af00e7d37d2a040e576c851aecadf1ff41d3

SHA512
1d6f9324d410804d720dadfaf25e8f13c9404de9682a5fa1dd5d71650656fdac40faed14bfb33ffb833f4e07b240faa873f7ccf52cb848a9383fed73172657e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
76337b1ee136d05d1a25803cbf23990d

SHA1
98848d70b4524ffd072973375925c628c92796c7

SHA256
e3dae4c818b2e41b7eb0b44fecebede3484ee6a402350cb50d94a90a693925f8

SHA512
1c6c85089294335ede56b70344fb9bbb3879eabc7a8cc003d21db6a0f86e3419c59d56739bad9639b41080707cd2ce965af2b54736521b35c4e93d07c06f9267

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
edb4c3f2ee15365d2ae880d3cf2cd6b1

SHA1
a74ac65b254736f04dcbf2d4fb88993bbaf1b544

SHA256
20407b1a7616c0362901f2d7764332cd2ee5387900247d1c2f1b299cac6dcbc3

SHA512
b27ca8346c8418972288fcce1db7413c9e9d5dc2a1e1581a59bc5c49c82c1801ba35517c9f8ebb0bb383db5bbef65b07c7753cdbbd183c6e0db08f198cc674ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
61fa5ed5e3ce404798fbc89c4c15d85d

SHA1
1d4f03c936bee0ddc6a666948b20629affeb221e

SHA256
ce36344129b0b1d5e0e17053b42a3c6681e3a1c57940b48d7424eaa5c955c270

SHA512
4fc5a382a9cc5242a0616da61a5581303253f3d7d365c649f315dbe7d4527331e7885e3a41fffec661caea0702e396b1173637b75619979ff36281cc3f167ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
c5a5a055195c989ff467c2a4fdaaccef

SHA1
e165515cfaf38fc00f03f5dc0f6f3563d46e96a3

SHA256
5bdb3e134b0558ad6de892264cbe07096d6bdd3b56c8a59a673da7879a8c2f15

SHA512
8a31661f6ac9b17abb950be968942e3d01b7223e4bbeb22a9756c4a6ffe12f153ae1cf66a1d33c41463427ee15ff1d12c2fdcfd1548735b32374a9f7badaf32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
405353dce3931560d976397a4d78bdd9

SHA1
f0bcf749ca3842759f8438f6e64fdca3949ad241

SHA256
14c25ab8548f5bb5491578baace449c854418363d4fff898fadfad8afb66057a

SHA512
a084c0a22ac0c11e9e074d3c1447549efd7639b4c0b5feb7168e9266571a04c9ab45c137efe7b201e686bcacd2e534b39bbcb17e59a4f4faefcbb5db17d8d844

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1e9cd9d6a75bd7049112d6cd7c72755e

SHA1
8c65e7a4803b5213beece70d1af00f97a1598711

SHA256
991337c8eab3697a3941d3a4a422bd913afda5d08fb9cd09a967d129a8978bb0

SHA512
27bec142d5d0c88fce49721c2bfe26285e94d97201ec8b0106e43467cfccdbe29cbc383ac18a41a323ce220b04ca494e5027082755d6c62648a8a7d13d0a23f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
a18981558da9fc58bf505ecf8a438449

SHA1
4327f43947a8181ae81b31cbfc3997d9543d0c65

SHA256
d042b6647405c319e0de12d5b10e2a449a10eedc9bf956f9a0807c060f8487c9

SHA512
8b56cb7ff6d97fed889687fd4fdcacea761729e79117baf53c4c84672b16b51099cdadbbbaf12dd991966cc3f2265e8c71ec7aa089eaa3ec3db6f1a789a96f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d5b7ee10fa6b3b8b14a2e875dfb50160

SHA1
366a340edc987c2433eda805ea56ee38d9519df7

SHA256
edb70df5db9cdb6c1684824481c770b667a585e9ea8138f399020bd5d0e63571

SHA512
8bdd041a3ffa4e218b3572eff61bad2f1d348b2b991208db8aff49bbf80b34de9ab310a31df188c56acafa1f9012496512f93b54ff1f212258feb1c0319f44c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
078bcd22f7335effce4f6ca1d8d0a495

SHA1
dfea12dccd14737007daff0cd4e71d2db2f194a1

SHA256
a2ae1cf7156f815e976ec2f76483c8af05954b1daa51ebe51ebcc8b831679aca

SHA512
5609d63e306189d9b0769442ccbe4b43e6cdf486e7a7f037cead5cc437eae17682378a00b76be6eed73b1e9d81a83e98291396b8ff0605ea7d939626dcbaa2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b2b2190722af71e57d0e676401d83a88

SHA1
174be547695958f08caaa4a4476271c0ac1ffa4e

SHA256
7a2b1234c7253e7d8eac04a662a85b10746886366b28d82b1d09b8411ac29dad

SHA512
d2d3ac6c40d8af2ab27f8904b8ea199ce24d3b3a3b1ea7a9ba722481727688d64816760a3107e5b393ce9a5c5596dcb61137df8a224c27f25970ae29dfa5f8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
613b5a9e5f69e99e628a07ada11c5823

SHA1
001cbfe934dde2fb488146520a97fcfe54b55641

SHA256
9596d33580e6d0630f083a8f8a2d9730b8c800058eb0256d9c3b4573a393bdf1

SHA512
4840e3b8a2b87b2dc336cf4bb043b12ed371a4767579c3235d11a5c49d31ca27e1860ed439f0d7de211b6b0becebbda256310fe735befd96cc8096a2ce8cb5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
42da2d11ad6686ec4ddbc6a49b7a6cc1

SHA1
88f0383388c6f8b8544c7845ab6823261f8d0865

SHA256
1282c956cc9c52405acfc33a76336817bed5425a54f57d34de8074fdba01bde9

SHA512
8c194a366ce59c8ab09b578bb309147c61bf820a0a53b7f24682b232c45c959bf0ecb89ba1b1fe5f20db5bf8f6e4ee0ed083e26d4f45b72af88f474e560219f3

Download Submit
\??\c:\windows\install\windows.exe

Filesize
284KB

MD5
c716367a1771cb09ada30f56d3ca54cd

SHA1
3bb7123c13b84ff81d20101fd755efcc705f3a89

SHA256
d678d0f771784b26009584fce4d21696cb275a5ae7994e104b25fa2382b61622

SHA512
a876447d41ba27c4103a86a4858af3604d5ad52310cf4229bbf921c84188e827f61183cb94d99f5e5d206995702a1e97a87beebe31a452432ad464ae1b1e3386

Download Submit
memory/1180-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1180-4-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download
memory/1180-22-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1180-65-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1180-136-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1768-68-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/1768-70-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1768-69-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1768-561-0x0000000024080000-0x00000000240E2000-memory.dmp

Filesize
392KB

Download
memory/1768-8-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1768-9-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/2188-137-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/2188-589-0x00000000240F0000-0x0000000024152000-memory.dmp

Filesize
392KB

Download
memory/4436-584-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download